- PDF Free Download

Size: px

Start display at page:

Download ""

Beryl Lawrence
5 years ago
Views:

Digitala signaturer med appendix Del 3: Mekanismer baserade på diskreta logaritmer (ISO/IEC 14888-3:2006, IDT) Information technology Security techniques

1 Provläsningsexemplar / Preview SVENSK STANDARD SS-ISO/IEC :2006 Fastställd Utgåva 1 Informationsteknik Säkerhetstekniker Digitala signaturer med appendix Del 3: Mekanismer baserade på diskreta logaritmer (ISO/IEC :2006, IDT) Information technology Security techniques Digital signatures with appendix Part 3: Discrete logarithm based mechanisms (ISO/IEC :2006, IDT) ICS Språk: engelska Publicerad: januari 2007 Copyright SIS. Reproduction in any form without permission is prohibited.

2 Den internationella standarden ISO/IEC :2006 gäller som svensk standard. Detta dokument innehåller den officiella engelska versionen av ISO/IEC :2006. The International Standard ISO/IEC :2006 has the status of a Swedish Standard. This document contains the official English version of ISO/IEC :2006. Upplysningar om sakinnehållet i standarden lämnas av SIS, Swedish Standards Institute, telefon Standarder kan beställas hos SIS Förlag AB som även lämnar allmänna upplysningar om svensk och utländsk standard. Postadress: SIS Förlag AB, STOCKHOLM Telefon: Telefax: E-post: sis.sales@sis.se. Internet:

3 SS-ISO/IEC :2006 (E) Contents Page Foreword... vi Introduction... vii 1 Scope Normative references Terms and definitions Symbols General model Parameter generation process Certificate-based mechanisms Identity-based mechanisms Parameter selection Validity of domain parameters and verification key Signature process Producing the randomizer Producing the pre-signature Preparing the message for signing Computing the witness (the first part of the signature) Computing the assignment Computing the second part of the signature Constructing the appendix Constructing the signed message Verification process Retrieving the witness Preparing message for verification Retrieving the assignment Recomputing the pre-signature Recomputing the witness Verifying the witness Certificate-based mechanisms DSA Parameters Generation of signature key and verification key Signature process Verification process KCDSA Parameters Generation of signature key and verification key Signature process Verification process Pointcheval/Vaudenay algorithm Parameters Generation of signature key and verification key Signature process Verification process EC-DSA Parameters Generation of signature key and verification key Signature process Verification process...21 iii

4 SS-ISO/IEC :2006 (E) Provläsningsexemplar / Preview 6.5 EC-KCDSA Parameters Generation of signature key and verification key Signature process Verification process EC-GDSA Parameters Generation of signature key and verification key Signature process Verification process Identity-based mechanisms IBS Parameters Generation of master key and signature/verification key Signature process Verification process IBS Parameters Generation of master key and signature/verification key Signature process Verification process Annex A (normative) ASN.1 module Annex B (normative) Conversion functions (I) B.1 Conversion from a field element to an integer (FE2I) B.2 Conversion from an integer to a field element (I2FE) B.3 Conversion from a field element to a bit sequence (FE2BS) B.4 Conversion from a bit sequence to an integer (BS2I) B.5 Conversion from an integer to a bit sequence (I2BS) B.6 Conversion between an integer and an octet string (I2OS & OS2I) Annex C (informative) Conversion functions (II) C.1 Conversion from an integer to a point (I2P) Annex D (normative) Generation of DSA domain parameters D.1 Generation of the prime p and q D.2 Generation of the generator G D.2.1 Unverifiable generation of G D.2.2 Verifiable generation of G Annex E (informative) The Weil and Tate pairings E.1 The functions f, g and d E.2 The Weil pairing E.3 The Tate pairing Annex F (informative) Numerical examples F.1 DSA mechanism F.1.1 Example F.1.2 Example F.2 KCDSA mechanism F.2.1 Parameters iv

5 SS-ISO/IEC :2006 (E) F.2.2 Signature key and verification key...49 F.2.3 Per message data...49 F.2.4 Signature...49 F.2.5 Verification...49 F.3 Pointcheval-Vaudenay mechanism...49 F.3.1 Parameters...49 F.3.2 Signature key and verification key...49 F.3.3 Per message data...50 F.3.4 Signature...50 F.3.5 Verification...50 F.4 EC-DSA mechanism...50 F.4.1 Example 1: Field F m 2, m = F.4.2 Example 2: Field F P, 192-bit Prime P...51 F.5 EC-KCDSA mechanism...52 F.5.1 Example 1: Field F m 2, m = F.5.2 Example 2: Field F P, 192-bit Prime P...53 F.5.3 Example 2: Field F m P, 32-bit P and m = F.6 EC-GDSA mechanism...55 F.6.1 Domain and User Parameters...55 F.6.2 Example 1: Field F P, 192-bit Prime P...55 F.7 IBS-1 mechanism...56 F.7.1 Example 1: Field F p, 512-bit Prime p...56 F.7.2 Example 2: Field F p, 512-bit Prime p...58 F.8 IBS-2 mechanism...60 F.8.1 Example 1: Field F p, 512-bit Prime p...60 Annex G (informative) Comparison of the signature schemes...64 G.1 Symbols and abbreviated terms for comparing the signature schemes...64 G.2 Comparison of the signature schemes...64 Annex H (informative) Claimed features for choosing a mechanism...66 Bibliography...67 v

6 SS-ISO/IEC :2006 (E) Provläsningsexemplar / Preview Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. ISO/IEC was prepared by Joint Technical Committee ISO/IEC JTC 1, Subcommittee SC 27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC :1998), which has been technically revised. It also incorporates Technical Corrigendum ISO/IEC :1998/Cor.1:2001. New mechanisms and object identifiers have been specified. ISO/IEC consists of the following parts, under the general title Information technology Security techniques Digital signatures with appendix: Part 1: General Part 2: Integer factorization based mechanisms Part 3: Discrete logarithm based mechanisms vi

7 SS-ISO/IEC :2006 (E) Introduction Digital signature mechanisms can be used to provide services such as entity authentication, data origin authentication, non-repudiation, and data integrity. A digital signature mechanism satisfies the following requirements. Given either or both of the following two things: o the verification key but not the signature key, o a set of signatures on a sequence of messages that an attacker has adaptively chosen, it should be computationally infeasible for the attacker: o to produce a valid signature on a new message, o to produce a new signature on a previously signed message, or o to recover the signature key. It should be computationally infeasible, even for the signer, to find two different messages with the same signature. NOTE Computational feasibility depends on the specific security requirements and environment. Digital signature mechanisms are based on asymmetric cryptographic techniques and involve three basic operations. A process for generating pairs of keys, where each pair consists of a private signature key and the corresponding public verification key. A process that uses the signature key, called the signature process. A process that uses the verification key, called the verification process. There are two types of digital signature mechanisms. When, for a given signature key, any two signatures produced for the same message are always identical, the mechanism is said to be non-randomized (or deterministic); see ISO/IEC When, for a given message and signature key, each application of the signature process produces a different signature, the mechanism is said to be randomized. The eight mechanisms specified in this part of ISO/IEC are all randomized. Digital signature mechanisms can also be divided into the following two categories. When the whole message has to be stored and/or transmitted along with the signature, the mechanism is termed a "signature mechanism with appendix" (which is the subject of ISO/IEC 14888). When the whole message, or part of it, can be recovered from the signature, the mechanism is termed a "signature mechanism giving message recovery" (see ISO/IEC 9796). Security of the digital signature mechanisms is based on unsolvable problems, i.e. problems for which, given current knowledge, finding a solution is computationally infeasible, such as the factorization problem and the discrete logarithm problem. ISO/IEC specifies digital signature mechanisms with appendix based on the discrete logarithm problem, and ISO/IEC specifies digital signature mechanisms with appendix based on the factorization problem. NOTE The previous version of ISO/IEC grouped identity-based mechanisms into Part 2 and certificate-based mechanisms into Part 3, with each of the two parts covering mechanisms based on both the discrete logarithm and the factorisation problems. This revision re-organizes the grouping, so that Part 2 contains integer factoring based mechanisms and Part 3 discrete logarithm based mechanisms. This part of ISO/IEC includes eight mechanisms, two of which were in ISO/IEC :1998, and three of which are in ISO/IEC :2002. The Korean Certificate-based Digital Signature Algorithm (KCDSA) and two mechanisms based on pairing technology are newly added. vii

8 SS-ISO/IEC :2006 (E) Provläsningsexemplar / Preview The mechanisms specified in this part of ISO/IEC use a collision resistant hash-function for hashing the entire message (possibly in more than one part). ISO/IEC specifies hash-functions. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compliance with this document may involve the use of patents. The ISO and IEC take no position concerning the evidence, validity and scope of this patent right. The holder of this patent right has assured the ISO and IEC that he is willing to negotiate licences under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statement of the holder of this patent right is registered with the ISO and IEC. Information may be obtained from: ISO/IEC JTC 1/SC 27 Standing Document 8 (SD 8) "Patent Information". SD 8 is publicly available at: Further information is available from the identified patent-holders. Area Inventors Patent Issue date Contact address DSA Kravitz US [no licence required] Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all such patent rights. viii

9 SS-ISO/IEC :2006 (E) Information technology Security techniques Digital signatures with appendix Part 3: Discrete logarithm based mechanisms 1 Scope This part of ISO/IEC specifies digital signature mechanisms with appendix whose security is based on the discrete logarithm problem. This part of ISO/IEC provides - a general description of a digital signature with appendix mechanism; - a variety of mechanisms that provide digital signatures with appendix. For each mechanism, this part of ISO/IEC specifies - the process of generating a pair of keys; - the process of producing signatures; - the process of verifying signatures. The verification of a digital signature requires the signing entity s verification key. It is thus essential for a verifier to be able to associate the correct verification key with the signing entity, or more precisely, with (parts of) the signing entity s identification data. This association between the signer s identification data and the signer s public verification key can either be guaranteed by an outside entity or mechanism, or the association can be somehow inherent in the verification key itself. In the former case, the scheme is said to be certificatebased. In the latter case, the scheme is said to be identity based. Typically, in an identity-based scheme, the verifier can derive the signer s public verification key from the signer s identification data. The digital signature mechanisms specified in this part of ISO/IEC are classified into certificate-based and identitybased mechanisms. NOTE For certificate-based mechanisms, various PKI standards can be used for key management. For further information, see ISO/IEC , ISO/IEC (also known as X.509) and ISO/IEC Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC (all parts), Information technology Security techniques Hash-functions ISO/IEC :1998, Information technology Security techniques Digital signatures with appendix Part 1: General 1

10 SS-ISO/IEC :2006 (E) Provläsningsexemplar / Preview 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC and the following apply. 3.1 finite commutative group finite set E with the binary operation such that - for all a, b, c E, (a b) c a (b c); - there exists e E with e a a for all a E; - for all a E there exists b E with b a e; - for all a, b E, a b b a; - for all a, b E, a b E. NOTE 1 If a 0 = e, and a n+1 = a a n (for n 0) is defined recursively, the order of a E is the least positive integer n such that a n = e. NOTE 2 In some cases, such as when E is the set of points on an elliptic curve, arithmetic in the finite set E is described with additive notation. 3.2 cyclic group group E of n elements that contains an element a E, called the generator, of order n 3.3 pairing function which takes two elements, P and Q, from an elliptic curve cyclic group over a finite field, G 1, as input, and produces an element from another cyclic group over a finite field, G 2, as output, and which has the following two properties (where we assume that the cyclic groups G 1 and G 2 have order q, for some prime q, and for any two elements P, Q, the output of the pairing function is written as <P, Q>). - Bilinearity: If P, P 1, P 2, Q, Q 1, Q 2 are elements of G 1 and a is an integer satisfying 1 a q - 1, then <P 1 + P 2, Q> = <P 1, Q> <P 2, Q>, <P, Q 1 + Q 2 > = <P, Q 1 > <P, Q 2 >, and <[a]p, Q> = <P, [a]q> = <P, Q> a. - Non-degeneracy: If P is a non-identity element of G 1, <P, P> Trusted Key Generation Centre KGC trusted third party, which, in an identity-based signature mechanism, generates a private signature key for each signing entity 4 Symbols a b a b a 1, a 2 (A, B, C) D concatenation of a and b, in the order specified bitwise exclusive OR of a and b elliptic curve coefficients a permutation of (S, T 1, T 2 ), which specifies the functionality of the signature mechanisms a parameter which specifies the relationship between the signature key and the verification key E an elliptic curve defined by two elliptic curve coefficients, a 1 and a 2 2

11 SS-ISO/IEC :2006 (E) E a finite commutative group; in the mechanisms based on a multiplicative group, elements of E are in Z * p; in the mechanisms based on an additive group of elliptic curve points, elements of E are the points on the elliptic curve E over GF(r) #E the cardinality of E; in the mechanisms based on a multiplicative group, #E is p - 1; in the mechanisms based on an additive group of elliptic curve points, #E is the number of points on the elliptic curve E over GF(r) gcd(n 1, N 2 ) the greatest common divisor of integers N 1 and N 2 G an element of order q in E GF(r) the Galois field of cardinality r G 1 a cyclic group of prime order q; elements of G 1 are points on an elliptic curve over GF(r) G 2 H 1 a cyclic group of prime order q; elements of G 2 are elements of a finite field GF(r) a hash-function that converts a data string into an element in G 1 (first express the data string as an integer and then convert the integer into a point on E over GF(r) by using the I2P function, see Annex C for details) h, H 2 hash-functions, i.e. one of the mechanisms specified in ISO/IEC ID m [n]p a data string containing an identifier of the signer, used in Mechanisms IBS-1 and IBS-2 an embedding degree (or extension degree) multiplication operation that takes a positive integer n and a point P on the curve E as input and produces as output another point Q on the curve E, where Q = [n]p = P + P + + P added n -1 times. The operation satisfies [0]P = 0 E (the point at infinity), and [-n]p = [n](-p) P p q r T T 1 T 2 U V Z * N a generator of G 1 which is used in Mechanisms IBS-1 and IBS-2 a prime number or a prime power a divisor of #E and the order of G 1 and G 2, which is a prime number the size of GF(r); in the mechanisms based on an additive group of elliptic curve points, r is a prime power, p m, for some prime p 2 and integer m 1. the assignment the first part of the assignment T the second part of the assignment T KGC's master private key, which is a randomly chosen integer used in Mechanisms IBS-1 and IBS-2 KGC's master public key, which is an element of G 1 used in Mechanisms IBS-1 and IBS-2 the set of integers U with 0 < U < N and gcd (U, N) = 1, with arithmetic defined modulo N the bit-length of a prime number (or prime power) p the bit-length of a prime number q the output bit-length of hash-functions h and H 2 x x-coordinate of 0 E the point at infinity on the elliptic curve E < > a bilinear and non-degenerate pairing 3

Petroleum products Calculation of viscosity index from kinematic viscosity

SVENSK STANDARD SS-ISO 2909 Fastställd 2003-05-09 Utgåva 1 Petroleumprodukter Beräkning av viskositetsindex (baserad på kinematisk viskositet Petroleum products Calculation of viscosity index from kinematic